About this Show

The Communicators

News/Business. People who shape the digital future.

NETWORK

DURATION
00:30:00

RATING

SCANNED IN
San Francisco, CA, USA

SOURCE
Comcast Cable

TUNER
Channel 91 (627 MHz)

VIDEO CODEC
mpeg2video

AUDIO CODEC
ac3

PIXEL WIDTH
704

PIXEL HEIGHT
480

TOPIC FREQUENCY

Cyberspace 11, Charlie Miller 9, Washington 9, Charlie 6, China 4, Mr. Miller 3, Etc. 3, Us 3, Robert O'hara 2, U.s. 2, Vancouver 2, Journal 2, D.c. 2, Iran 2, Harrow 2, Moscow 2, San Francisco 2, Google 2, Cybersecurity 1, The Nsa 1,
Borrow a DVD
of this show
  CSPAN    The Communicators    News/Business. People who  
   shape the digital future.  

    October 29, 2012
    8:00 - 8:29pm EDT  

8:00pm
>> the environment of people and machines and networks as new domain of war, and yet we realize that maybe one in a thousand people really understood what cyberspace was and the degree and the depth of the vulnerabilities. and so what we're trying to do
8:01pm
in the zero days series is to take pieces of itand elain theundamentals and the platonic ia is that everybody from my mom and dad t congress, um, and peop around the country can undstand and so maybe start the process of coming up with ways for us to defend cyberspace better. >> hos wel if look at cyberace the united states rinow, how wouldou debe surityverall? much as we would deribe, maybe, crime or break-ins in a neighborhood? >> guest: well in the spirit of the explanatory mission we have, you can't really talk about cyberspace in the united states. a computer user in washington, d.c. or in wichita or san francisco is effectively working shoulder to shoulder with a computer user in beijing or in moscow. there's literally no seconds of difference in space and time in
8:02pm
cyberspace. so i thought i'd point that out. as for the security, the reality is that, um, it's almost remarkable how vulnerabl comp sysms are. and cyberspace, um, is not what most people think it is. most people now equate cyberspace with the bear net. -- internet. but if they want to think about what cyberspace is, it's the gps system on the new cars, it's the iphone and the droids, it's jet fighters and jet planes. anything that is driven by computers, excuse me, by computer code and is linked to networks, um, can be a part of cyberspace. and the vulnerabilities are, um, almo stunningly pervasive. >> host: can you ge an example? >> guest: well, sure. charlie miller, who is a former government hacker who worked on the good side is now a security potentialist, one of the great
8:03pm
hackers in the world, a white hat hacker, he last year decided to explore vulnerabilities in the iphone, and he found a vulnerability in the iphone that when he deployed it the right way, this was for a contest, it enabled him to take over a portion of that iphone. industrial control computers run water systems and electric grids and so on. last year a disgruntled hacker abroad went into a water system in south houston in texas and got control of those computers. the list goes on and on. there's hacks of google, hacks of a security firm, rfa. there are millions of attacks, literally millions of attacks around the world and intrusions on computer systems every day in the world. probably the most phenomenal
8:04pm
attack involves a worm called stuxnet, and in that case the united states government -- i think working with israel -- but the united states government developed a computer worm that went into the nuclear processing facilities in iran and disrupted centrifuges. >> host: so it was developed by the u.s. government? >> guest: yes. according to some reporting by "the new york times." >> host: and what was its purpose? was it a defense mechanism? was it the defense department? >> guest: no. it was purely a offensive, preemptive effort the slow the nuclear weapons processing capability of iran. >> host: well, you mentioned charlie miller, and mr. miller is in st. louis, and he joins us today on "the communicators." mr. miller, what was your, what was your goal in breaking into the iphone? >> guest: well, in that
8:05pm
particular case it was for a contest, like robert mentioned. they have this contest every year, hackers across the world enter it, and they have various devices. if you can break into the devices, you win some cash and the device itself. so that was my goal. i won that contest a few times. earlier in my career it was more about showing that things like iphones or, you know, desktops running apple software were vulnerable because it wasn't believed that it was, but now it's just, you know, i've shown vulnerables in iphone, i've found attacks where i can take over an iphone in the past. all these are fixed now because part of the contest is that all these vulnerables get fixed after the contest. it's a fun way to show off your skills and still everyone is protected by the attacks that you come up with. >> host: how long did it take you to break into this iphone, and from where did you do it? an office? where? >> guest: okay. so the iphone attack, it probably -- i mean, at the
8:06pm
contest it only took a few seconds, but the preparation is the important part. so it probably took me, you know, maybe a month of preparation with a colleague of mine. so, you know, a few weeks of looking for a vulnerable, a few weeks of taking that and making it into an exploit that i could actually use to attack the phone. the actual contest took place in a security conference in vancouver, and so i was actually physically in vancouver, and they had a, you know, iphone there, and, you know, i attacked it and stole a bunch of data off it, and that was the proof that i had succeeded. >> host: so, charlie miller, could you do this from your living room? could you break into a bank, break into other devices from your living room? >> guest: yeah. that's the amazing thing about, you know, cybersecurity is you don't have to physically be anywhere. you know, we're all educate canned, well -- connected. well, mostly. any device that's on your phone, your computer, in the future your refrigerator, anything
8:07pm
that's on the internet you can get to from basically anywhere. so that's one of the things that makes defense difficult, right? so you don't have to just defend against your neighbor, you have to defend against the guy in belarus, so it's a whole different program. >> host: well, robert o'hara described you as a good guy hacker, a white hat hacker. what does that mean, and what's the motive of some of the black hat hackers? >> guest: okay. so the white hat, the good guy hackers like was explained, so, um, we're the guys who, you know, we develop skills to do the same thing that bad guys can do. so we can break into computers, but i instead of -- instead of stealing information and causing problems, we, you know, tell everyone what we did, try to work with vendors to make their products more secure, you know, give talks about security and how to make it better. and so we're -- while we can break in and do harm, we don't.
8:08pm
we just, we show how you can break in to improve security. on the other hand, there's the actual bad guys, and they have various ranges and motives from just, you know, teenagers goofing off and trying to impress their friends to, you know, actual organized crime trying to steal money and credit card information to, you know, governments trying to, you know, commit espionage and, you know, actual cyber warfare. so there's a whole range of attackers on the black hat side. >> host: now, we didn't get a whole lot of your bio, but we understand that you worked at the national security agency for a while and are now with twitter. what did you do with nsa? >> guest: well, i can't say too much about that, but i worked there for five years. i worked in their, you know, computer security, um, group, and i can't say a whole lot more than that. [laughter] >> host: and you're with twitter now, correct? >> guest: yep, yep. so between that time i, basically, for the last say
8:09pm
seven years before twitter, i just started a couple months ago, i was security consultant. so companies would hire the company i worked for, and we would come in and test their products for them. basically, you know, take the role of the bad guy and break in and show them how we did it, what went wrong, how they can do better to make it where the real bad guy can't do that. >> host: robert o'hara, were you able to get into contact with any bad guy hackers and to learn what their motives were? >> guest: i've talked to bad hackers, and the motives are, as charlie said, all over the place. i've watched details about bad hackers, and we know, for example, that some of them are prepping infiltrating systems with long-lasting threats in the event that there's ever a cyber conflict or cyber war. our power grids, our national labs, um, corporate systems all over the united states are
8:10pm
already, are already been intruded and on, and it's believed that there are trojan horses that are already put on. lots of espionage is occurring. we know that there are groups in russia and in china, for example, that work regular hours breaking into systems and stealing information. massive amounts of information. so the motives are the same motives that you might find with any array of bad people; money, manipulation, intelligence and prepping for cyber war. >> host: um, charlie miller, for casual users, regular users of the internet who may do some online banking, surf the bear net and, you know -- internet and, you know, send e-mails, what kind of protection would you recommend to those people? >> guest: well, the regular users are in a pretty good
8:11pm
place. we've been -- by we, i mean the security, um, industry -- has been working for quite a few years in trying to make that sort of thing secure, and it's pretty good. so if you just use your browser, you have antivirus, you don't just go to random sites and download things, you're in pretty good shape. the biggest risk of, say, like your phone being attacked, so we talked about the iphone attack earlier that i did, that's still extremely rare. you're way more likely to lose your iphone in a bar and have someone steal it than to have a bad guy attack your phone. so there's the one side is if your attackers are teenagers or organized crime and you play it halfway safe and you're not a big target, you're probably okay. the more interesting thing, i think, is when you are the u.s. government or you're google or you're, you know, the white house and there's -- no matter what you do, you're still a target. and your attackers instead of being teenagers are, you know,
8:12pm
whole branches of governments, you know, militaries from other countries. and there we don't really know what to do. and so there's a lot of open questions there. >> to follow up on carr hi's remarks, cyberspace is a collection of machines and people. people are a part of the network. the very, very baddest of bad guys have taken on something called social engineering as a way of attacking. and you may not be an inherently interesting target, but you may be vulnerable to social engineering because, essentially, what they're doing is trying to pretend to be your friend, a family member. after doing homework, they may send you an e-mail or direct you to a web site that's loaded with the attack code. and if you are related to someone that they're targeting or if you work at a company that the bad guys want to target, you may fall prey to this social
8:13pm
engineering. and, um, there's almost no way to stop it because of the clever nature of it. recently we did a story about, again, chinese hackers who are going after gas pipeline companies, intelligence contractors here in washington, security consultants and others, and it was all part of the same campaign, and it looked like part of an espionage effort. and it was based on social engineering messages that looked like they were coming from in-house, but they were really coming from these chinese hackers. >> host: charlie miller, we talk about chinese or iranian hackers. who are these people? are they employed by the government? where? >> guest: we don't really know. so we can trace back attacks somewhat, but it's difficult. if a computer here in washington, d.c. is attacked, um, we can trace back, oh, that attack came from a computer in china. but that's not to say that there
8:14pm
was necessarily a person sitting at that computer in china. maybe that, you know, that attack came from that computer which came from a computer in korea which came from a computer in germany which came from a computer in moscow, so we don't really know. it's very difficult to trace back attacks, and that's one of the major differences between, say, cyber war and conventional war. if someone drives a tank across your border, you know who did it. if you get attacked, you may think it was the chinese, but you don't know for sure. was it a teenager? was it the chinese army? it's difficult to ascertain where the attacks are coming from. we have guesses, but we don't know for sure. >> guest: charlie's alluding to sort of the core nature of what cyberspace is. it's networks of networks. and because of the fundamental architecture of these networks, data bounces from computer to computer all the time, and when he describes somebody in germany
8:15pm
who might be sending something through a computer in south korea that might be going through china, that's sort of garden variety hop, skip and jump for data in cyberspace. and it brings up a really interesting issue not just with cybersecurity, but with cyber war. because if you don't know precisely who's attacked you -- what they're calling attribution -- then how do you respond in kind to prevent attacks in the future in and that's one of the great dilemmas that our military has; how do you hold them accountable for stealing, damaging or what not? now, one has to believe and hope that the nsa -- and i do, actually -- has cracked this problem to some degree. but the attribution problem for corporations, um, and many government agencies is a very real thing, a very difficult problem in this digital age of ours.
8:16pm
>> host: robert o' harrow, you write about a series called tritium. why do you do that? >> guest: they're a company that came up with a really interesting idea not long after the web browsers back in the '90s were released and use of the worldwide web which lays over the top of the internet makes it really easy. we all take it for granted now. it was becoming common. and what they did was they realized that the web browser could be like a universal remote control that could direct devices anywhere in the world that were connected to the networks. so, for example, the security camera. you could use your mouse to have the security camera look left or look right. you could be sitting in washington and controlling a camera in san francisco. heating systems all over the place. you might be controlling five buildings, high-rises, elevators, medical devices to
8:17pm
some degree, um, and also access control for security. let's say at a pentagon facility, which is a real example. but it turns out that tritium became so popular and moved so quickly -- >> host: and profitable? >> guest: well, it's, its financials aren't available, but one assumes. they were acquired by honeywell several years ago. but they're very popular, and they grew very quickly, and their system is used in 52 countries now. but it turns out that it was vulnerable to a very well known, rather old vulnerability that hackers knew about, everybody's known about for years. and so i thought the story was valuable and instructive because it showed that the gee whiz component has sometimes blinded software makers and
8:18pm
manufacturers, and the profits that lay, you know, within reach have sometimes maybe blinded them or clouded their view of risk so that they rush forward with the technology before it's as secure as it probably should be. charlie has given some terrific talks about the incentive structures for software makers and whether or not they're properly in balance to make sure that they're secure with their software before they release it. but i'll let him speak for himself on that. >> host: well, mr. miller, if you would speak to that. >> guest: sure. so we're in a situation where we all run code that was written by a vendor like microsoft or apple or cisco or whoever. um, and the problem is it's very difficult to write secure code, code that's perfect with no vulnerabilities. and it's hard to measure whether a code is secure. so even an expert like myself, it's very difficult for me to tell you whether if given two
8:19pm
programs, which one is more secure than the other. so it's hard to measure, and people don't want to necessarily pay for that. so we all want to buy the latest gadget, the latest iphone or whatever, and we don't really think to ourself how secure is it? maybe i shouldn't buy it because it's not secure. so companies, you know, they're out to make money, and, you know, that's what they're there for. so they want to push products out the door, beat their competitors, have the newest features, but they don't in'sly want to take the time it takes to make sure their product's secure. and consumers so far haven't demanded it. so we all use the software, and we're all vulnerable because the software is written in a way that was, you know, intended to maximize new features and profit and not intended to, you know, maximize security. >> guest: charlie just raised a really interesting issue i'd like to just underscore which is consumers, people, have not asked for more secure products for the most part.
8:20pm
that's related in part to the fact that very few people really understand cyberspace and how it all works. we all love the benefits. it's miraculous. we're -- i would venture to say charlie is among those who are thrilled with the miracle of the internet and all the networks and the computing power and the benefits it brings to all of us and society. but the fact is many people are afraid to actually confront the trade-offs that come with all these benefits. and one of the things that we're trying to do at the post with zero day is not to scream the sky is falling, because it's not, but to try to make clearer those trade-offs so that people can start making better decisions, um, and can start asking for better security. and in some ways maybe, eventually, ask the companies that are making technology and writing code to shoulder the full cost of doing business which i would argue involves creating a secure product.
8:21pm
>> host: charlie miller, what about when it comes to social media and the sharing of information that we as consumers do with google, facebook, etc., etc. is that, does that lend itself to less secure networks? >> guest: i mean, it doesn't affect the network per se, but what it does is it puts a lot of our information, sometimes private information, out there. so if you had never connected to the internet, no one would in'sly know what you liked -- necessarily snow what you liked or if you were dating someone. it's still out there on some server out there, so some bad guy could get to it if they wanted. so i think if you consider that a while ago no one would ever agree to carry around a tracking device, right? but now we all carry around cell phones which you can inherently track. and no one would ever have posted, you know, let anyone read their e-mail. but right now a lot of us use
8:22pm
gmail, and all of our mail is stored on a server at google. so it's just interesting that we as a society have given our information out. whether we want it to be for everyone or just for a few people, it's out there, you know, on someone's server, and so people can get to it. and that's sort of changed the well -- whole way of privacy in this age. >> host: so are you finding as a security consultant that the social medias of the world, the facebooks, the twitters, etc., that they are leading in security precautions or not? >> guest: well, some of them certainly are. google makes a show, for sure, for having a pretty secure web browser in chrome, but right now, not too long ago they were attacked by they think the chinese, and they were able to get in their networks and steal a lot of data. and so even the best get hit.
8:23pm
another example is microsoft. about ten years ago, they started a program to try to produce secure software. so back when windows 98 was out, it was really awful. but now the newest version of windows is quite good. so they've really spent a lot of time trying to make it better. but still there's, you know, every month when you have to download a new patch, that's because someone has found a vulnerability. so still we have a long way to go, and we all rely on the software, and we're all vulnerable because of the software. >> host: robert? >> guest: a couple of thoughts, and this is a thread that i'm pursuing right now as part of my series. it turns out that a lot of people have heard of electronic medical records or health records. i'm just now learning that a lot of those records that are being created as part of health care reform are being kept on remote servers. in fact, the doctors that have the electronic health records system don't have the records anymore. they're being kept by contractors on servers, and
8:24pm
charlie triggered that. the other thing that's really interesting is i think the software makers and the vendors really get credit or ought to get credit for improving security. things are much better on a lot of products and software than five or ten years ago, certainly. what i've been hearing lately over and over again is that the bad guys are getting faster than the good guys are getting better. in other words, the attack methods, the cleverness, the ways of evading detection are improving faster than security, um, on the good side of things. and, of course, that's very troubling in part because when you boil out all down, no one still fully understands what happens when billions of people and billions of devices interact in many cyberspace, and the bad guys take advantage of those clouds of uncertainty. >> host: charlie miller, what's your message to congress, to
8:25pm
department of homeland security, to dod? >> guest: well, i guess it would be that we spent a lot of time, you know, we're a lot better than we were ten years ago. we're less vulnerable in that software's a lot better, we have a lot more protections built in. so if you want to run a, you know, a company and keep out the average hacker, we know how to do that now. but what we don't know how to do is secure, you know, military systems that get some attacks by other governments. so some well-funded, very creative hackers still can beat us, and we need to figure out whether it's holding the vendors to task, whether it's building new defenses we don't know yet, we need to defend against sophisticated hackers which is something we don't know how to do right now. >> host: robert o' harrow, your series -- which, by the way, is linked to our web site -- has gotten some response from dhs,
8:26pm
and often when you write, the next today there's an official announcement. >> guest: right. there's been some reaction to it. it's -- that's more typical of an investigative series. but i'm trying to merge the homework with mentors like charlie miller and officials in the government, officials out, hackers, i mean, these young guys that are breaking into things sort of teaching. so there's been some response, and that's gratifying. i think that our mission at "the washington post" here is to, is somewhat platonic in the sense that we really want to teach people so that even is on the same page generally speaking so good policy can grow out of that. we're really not in a position of offering policy suggestions because it's so complex, it's so difficult. but i do think that congress, if i had one recommendation, it would be really good if they immersed themselves in the
8:27pm
subject and then came up with some plans for making things better. may i note that we're trying to contribute further to the education. the post has a conference with some very senior former intelligence officials, hackers and others coming up at the end of the month, and they can find out more at washingtonpost.com. >> host: and is that open to the public? >> guest: it'll be open to the public, and it's going to be a fascinating day because you'll have, as i said, people who are directly involved in helping to establish policy or formally running, for example, the nsa or cyber command and so on getting together to discuss these issues and going through some scenarios. so, um, like i said, that'll be at the end of the month at "the washington post." >> host: well, as i mentioned, robert o'harrow's series in "the washington post" is linked to our site at c-span.org/thecommunicaters. and charlie miller is a computer
8:28pm
security researcher and twitter employee, also known as a good guy hacker. he's been joining us from st. louis. mr. o'harrow, thank you for being on "the communicators." >> guest: thanks for having me. >> c-span is bringing you debates in house, senate and governor's races. coming up tonight on c-span2, the i'll 10th -- illinois 10th district debate between robert dold and his democratic challenger, brad schneider. that's followed up by the new york 19th district. on tomorrow morning's washington journal we'll talk about how new technology challenges the polling industry. cost keeter of the pew research center is our guest followed by our battleground state spotlight
8:29pm
on colorado with curtis hubbard of the denver post. then a look at how mitt romney and the republicans are campaigning across the state with republican strategist sean tonner, and later an analysis of president obama's strategy. our guest is rick palassio. washington journal is your phone calls, tweets and e-mails live every morning at 7:30 eastern on c-span. >> these are the stories your textbooks left out. their great stories about real people in american history, very important moments that we don't know about. the first pilgrims in america came to, came 50 years before the mayflower sailed. they were french, they made wine, they had the good sense to land in florida in june instead of december in massachusetts, but then they were wiped out by the spanish, but we've completely left out